Sub-processors
Per GDPR Article 28(2), the third-party services svdy uses to process your data. Updated when our stack changes. Last review: 2026-05-24.
| Provider | Service | Region | Data accessed |
|---|---|---|---|
Amazon Web Services DPA / privacy → | Cloud hosting (compute, database, storage, CDN) | us-east-1 (N. Virginia, USA) | All customer data — workers, attendance entries, documents, logs |
Stripe DPA / privacy → | Payment processing for subscriptions | United States + EU (Stripe Atlas global) | Billing contact, last 4 digits of card, charge history. NEVER full card data — Stripe-side tokenisation. |
Amazon SES DPA / privacy → | Transactional email (sign-up, password reset, alerts) | us-east-1 | Recipient email address, message body. Subject to AWS DPA. |
Expo (EAS) DPA / privacy → | Mobile push notifications via APNs / FCM | United States | Device push token (anonymous), notification body. No PII inside push payloads. |
Cloudflare DPA / privacy → | Authoritative DNS (svdy.com / qutime.com / pureoa.com) | Global (anycast) | DNS query metadata only. svdy uses Cloudflare DNS in grey-cloud mode — NOT proxied — so no customer payload traverses Cloudflare. |
Update protocol
When we add or remove a sub-processor, we:
1. Update this page within 7 days of the change.
2. Email customers 30 days before the change takes effect, with the new processor's name + region + data scope.
3. Honour customer objections under your DPA — typically by ring-fencing your tenant from the affected processor.
